[pkgsrc/trunk]: pkgsrc/www/websvn Fix various cross-site scripting issues in ...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/www/websvn Fix various cross-site scripting issues in ...
From: tonnerre <tonnerre%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 06:18:31 +0000
details:   https://anonhg.NetBSD.org/pkgsrc/rev/1a06f999d70c
branches:  trunk
changeset: 544131:1a06f999d70c
user:      tonnerre <tonnerre%pkgsrc.org@localhost>
date:      Sun Jul 13 11:15:27 2008 +0000

description:
Fix various cross-site scripting issues in websvn (CVE-2007-3056).

diffstat:

 www/websvn/Makefile         |   5 +++--
 www/websvn/distinfo         |   8 +++++++-
 www/websvn/patches/patch-aa |  16 ++++++++++++++++
 www/websvn/patches/patch-ab |  35 +++++++++++++++++++++++++++++++++++
 www/websvn/patches/patch-ac |  16 ++++++++++++++++
 www/websvn/patches/patch-ad |  16 ++++++++++++++++
 www/websvn/patches/patch-ae |  13 +++++++++++++
 www/websvn/patches/patch-af |  26 ++++++++++++++++++++++++++
 8 files changed, 132 insertions(+), 3 deletions(-)

diffs (185 lines):

diff -r 169e41367bd3 -r 1a06f999d70c www/websvn/Makefile
--- a/www/websvn/Makefile       Sat Jul 12 17:04:12 2008 +0000
+++ b/www/websvn/Makefile       Sun Jul 13 11:15:27 2008 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.17 2008/06/20 01:09:44 joerg Exp $
+# $NetBSD: Makefile,v 1.18 2008/07/13 11:15:27 tonnerre Exp $
 #
 
 DISTNAME=      WebSVN_161
 PKGNAME=       websvn-1.61
-PKGREVISION=   7
+PKGREVISION=   8
 CATEGORIES=    www
 MASTER_SITES=  http://websvn.tigris.org/files/documents/1380/14334/
 
@@ -42,6 +42,7 @@
 
 do-install:
        ${INSTALL_DATA} ${WRKSRC}/include/distconfig.inc ${DESTDIR}${EGDIR}
+       cd ${WRKSRC} && rm -f *.orig
        cd ${WRKSRC} && pax -rwppm . ${DESTDIR}${PREFIX}/${HTTPD_ROOT}/websvn
        ${RM} ${DESTDIR}${PREFIX}/${HTTPD_ROOT}/websvn/include/distconfig.inc
 
diff -r 169e41367bd3 -r 1a06f999d70c www/websvn/distinfo
--- a/www/websvn/distinfo       Sat Jul 12 17:04:12 2008 +0000
+++ b/www/websvn/distinfo       Sun Jul 13 11:15:27 2008 +0000
@@ -1,5 +1,11 @@
-$NetBSD: distinfo,v 1.4 2005/02/24 14:08:40 wiz Exp $
+$NetBSD: distinfo,v 1.5 2008/07/13 11:15:27 tonnerre Exp $
 
 SHA1 (WebSVN_161.tar.gz) = 7fecbaa9619e3061ea57dda0a4bfcb4a3cca888d
 RMD160 (WebSVN_161.tar.gz) = aedd187926ff286b5582f2359cbe3fb56d7a0bc9
 Size (WebSVN_161.tar.gz) = 89305 bytes
+SHA1 (patch-aa) = 021727c38d33ccedeaec8c82de912ed94baae565
+SHA1 (patch-ab) = 4724707d5fd3f3699918dfd9754ac92eefec9c8f
+SHA1 (patch-ac) = 6cde8ef4cf0ee0dfd4619a5acebfe09aff40e95c
+SHA1 (patch-ad) = a4c673d6f27629573d520213bd66b9d084a11a64
+SHA1 (patch-ae) = d74b9be874c88edd213fbbd297e8cd0f8bbaf46a
+SHA1 (patch-af) = 92464e74e3aa86529bb0438d7d015dfce9c82de5
diff -r 169e41367bd3 -r 1a06f999d70c www/websvn/patches/patch-aa
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/websvn/patches/patch-aa       Sun Jul 13 11:15:27 2008 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-aa,v 1.1 2008/07/13 11:15:27 tonnerre Exp $
+
+--- blame.php.orig     2004-08-26 10:29:32.000000000 +0200
++++ blame.php
+@@ -49,9 +49,9 @@ else
+ $pos = strrpos($ppath, "/");
+ $parent = substr($ppath, 0, $pos + 1);
+ 
+-$vars["repname"] = $rep->name;
++$vars["repname"] = htmlentities($rep->name, ENT_QUOTES, 'UTF-8');
+ $vars["rev"] = $rev;
+-$vars["path"] = $ppath;
++$vars["path"] = htmlentities($ppath, ENT_QUOTES, 'UTF-8');
+ 
+ createDirLinks($rep, $ppath, $rev, $showchanged);
+ 
diff -r 169e41367bd3 -r 1a06f999d70c www/websvn/patches/patch-ab
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/websvn/patches/patch-ab       Sun Jul 13 11:15:27 2008 +0000
@@ -0,0 +1,35 @@
+$NetBSD: patch-ab,v 1.1 2008/07/13 11:15:27 tonnerre Exp $
+
+--- comp.php.orig      2004-08-30 14:28:10.000000000 +0200
++++ comp.php
+@@ -54,8 +54,8 @@ $svnrep = new SVNRepository($rep->path);
+ // Retrieve the request information
+ $path1 = @$_REQUEST["compare"][0];
+ $path2 = @$_REQUEST["compare"][1];
+-$rev1 = @$_REQUEST["compare_rev"][0];
+-$rev2 = @$_REQUEST["compare_rev"][1];
++$rev1 = (int)@$_REQUEST["compare_rev"][0];
++$rev2 = (int)@$_REQUEST["compare_rev"][1];
+ 
+ // Some page links put the revision with the path...
+ if (strpos($path1, "@")) list($path1, $rev1) = explode("@", $path1);
+@@ -89,15 +89,15 @@ if ($rev2 == 0) $rev2 = "HEAD";
+ $vars["repname"] = $rep->name;
+ $vars["action"] = $lang["PATHCOMPARISON"];
+ $vars["compare_form"] = "<form action=\"$url\" method=\"post\" name=\"compareform\">";
+-$vars["compare_path1input"] = "<input type=\"text\" size=\"40\" name=\"compare[0]\" value=\"$path1\">";
++$vars["compare_path1input"] = "<input type=\"text\" size=\"40\" name=\"compare[0]\" value=\"" . htmlentities($path1, ENT_QUOTES, 'UTF-8') . "\">";
+ $vars["compare_rev1input"] = "<input type=\"text\" size=\"5\" name=\"compare_rev[0]\" value=\"$rev1\">";
+-$vars["compare_path2input"] = "<input type=\"text\" size=\"40\" name=\"compare[1]\" value=\"$path2\">";
++$vars["compare_path2input"] = "<input type=\"text\" size=\"40\" name=\"compare[1]\" value=\"" . htmlentities($path2, ENT_QUOTES, 'UTF-8') . "\">";
+ $vars["compare_rev2input"] = "<input type=\"text\" size=\"5\" name=\"compare_rev[1]\" value=\"$rev2\">";
+ $vars["compare_submit"] = "<input name=\"comparesubmit\" type=\"submit\" value=\"${lang["COMPAREPATHS"]}\">";
+ $vars["compare_endform"] = "<input type=\"hidden\" name=\"op\" value=\"comp\"><input type=\"hidden\" name=\"manualorder\" value=\"1\"><input type=\"hidden\" name=\"sc\" 
value=\"$showchanged\"></form>";   
+ 
+-$vars["path1"] = $path1;
+-$vars["path2"] = $path2;
++$vars["path1"] = htmlentities($path1, ENT_QUOTES, 'UTF-8');
++$vars["path2"] = htmlentities($path2, ENT_QUOTES, 'UTF-8');
+ 
+ $vars["rev1"] = $rev1;
+ $vars["rev2"] = $rev2;
diff -r 169e41367bd3 -r 1a06f999d70c www/websvn/patches/patch-ac
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/websvn/patches/patch-ac       Sun Jul 13 11:15:27 2008 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-ac,v 1.1 2008/07/13 11:15:27 tonnerre Exp $
+
+--- diff.php.orig      2004-08-26 10:29:32.000000000 +0200
++++ diff.php
+@@ -59,9 +59,9 @@ else
+ 
+ $prevrev = @$history[1]["rev"];
+ 
+-$vars["repname"] = $rep->name;
++$vars["repname"] = htmlentities($rep->name, ENT_QUOTES, 'UTF-8');
+ $vars["rev"] = $rev;
+-$vars["path"] = $ppath;
++$vars["path"] = htmlentities($ppath, ENT_QUOTES, 'UTF-8');
+ $vars["prevrev"] = $prevrev;
+ 
+ $vars["rev1"] = $history[0]["rev"];
diff -r 169e41367bd3 -r 1a06f999d70c www/websvn/patches/patch-ad
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/websvn/patches/patch-ad       Sun Jul 13 11:15:27 2008 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-ad,v 1.1 2008/07/13 11:15:27 tonnerre Exp $
+
+--- filedetails.php.orig       2004-08-26 10:29:32.000000000 +0200
++++ filedetails.php
+@@ -127,9 +127,9 @@ else
+    $vars["goyoungestlink"] = "";
+ 
+ $vars["action"] = "";
+-$vars["repname"] = $rep->name;
++$vars["repname"] = htmlentitites($rep->name, ENT_QUOTES, 'UTF-8');
+ $vars["rev"] = $rev;
+-$vars["path"] = $ppath;
++$vars["path"] = htmlentities($ppath, ENT_QUOTES, 'UTF-8');
+ 
+ createDirLinks($rep, $ppath, $passrev, $showchanged);
+ 
diff -r 169e41367bd3 -r 1a06f999d70c www/websvn/patches/patch-ae
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/websvn/patches/patch-ae       Sun Jul 13 11:15:27 2008 +0000
@@ -0,0 +1,13 @@
+$NetBSD: patch-ae,v 1.1 2008/07/13 11:15:27 tonnerre Exp $
+
+--- listing.php.orig   2004-08-30 10:49:58.000000000 +0200
++++ listing.php
+@@ -235,7 +235,7 @@ $vars["date"] = $log['date'];
+ $vars["log"] = nl2br($bugtraq->replaceIDs(create_anchors($log['message'])));
+ $vars["rev"] = $rev;
+ $vars["lastchangedrev"] = $logrev;
+-$vars["path"] = $ppath;
++$vars["path"] = htmlentities($ppath, ENT_QUOTES, 'UTF-8');
+ 
+ if (!$showchanged)
+ {
diff -r 169e41367bd3 -r 1a06f999d70c www/websvn/patches/patch-af
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/websvn/patches/patch-af       Sun Jul 13 11:15:27 2008 +0000
@@ -0,0 +1,26 @@
+$NetBSD: patch-af,v 1.1 2008/07/13 11:15:27 tonnerre Exp $
+
+--- log.php.orig       2004-08-26 14:47:30.000000000 +0200
++++ log.php
+@@ -98,9 +98,9 @@ else
+    $ppath = $path;
+ 
+ $vars["action"] = $lang["LOG"];
+-$vars["repname"] = $rep->name;
++$vars["repname"] = htmlentities($rep->name, ENT_QUOTES, 'UTF-8');
+ $vars["rev"] = $rev;
+-$vars["path"] = $ppath;
++$vars["path"] = htmlentities($ppath, ENT_QUOTES, 'UTF-8');
+ 
+ createDirLinks($rep, $ppath, $passrev, $showchanged);
+ 
+@@ -278,7 +278,8 @@ if ($pages > 1)
+ $url = $config->getURL($rep, $path, "log");
+ $vars["logsearch_form"] = "<form action=\"$url\" method=\"post\" name=\"logsearchform\">";
+ 
+-$vars["logsearch_inputbox"] = "<input name=\"search\" value=\"$search\">";
++$vars["logsearch_inputbox"] = "<input name=\"search\" value=\"" .
++      htmlentities($search, ENT_QUOTES, 'UTF-8') . "\">";
+ 
+ $vars["logsearch_submit"] = "<input type=\"submit\" value=\"${lang["GO"]}\">";
+ $vars["logsearch_endform"] = "<input type=\"hidden\" name=\"logsearch\" value=\"1\">".
Prev by Date: [pkgsrc/trunk]: pkgsrc/parallel/mpi-ch Add missing dependency on X11. Based ...
Next by Date: [pkgsrc/trunk]: pkgsrc/x11/pixman Recommit the following, which was removed a...
Previous by Thread: [pkgsrc/trunk]: pkgsrc/parallel/mpi-ch Add missing dependency on X11. Based ...
Next by Thread: [pkgsrc/trunk]: pkgsrc/x11/pixman Recommit the following, which was removed a...
Indexes:
Home | Main Index | Thread Index | Old Index